Perl up to 5.24.2/5.26.0 win32/perlhost.h CPerlHost::Add Environment Variable memory corruption

entryeditHistoryDiffjsonxmlCTI

A vulnerability was found in Perl up to 5.24.2/5.26.0 (Programming Language Software). It has been rated as critical. Affected by this issue is the function CPerlHost::Add of the file win32/perlhost.h. Upgrading to version 5.24.3-RC1 or 5.26.1-RC1 eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at perl5.git.perl.org. The best possible mitigation is suggested to be patching the affected component. A possible mitigation has been published before and not just after the disclosure of the vulnerability.

Field09/28/2017 11:11 AM11/20/2019 09:13 AM01/14/2021 03:36 PM
typeProgramming Language SoftwareProgramming Language SoftwareProgramming Language Software
namePerlPerlPerl
version<=5.24.2/5.26.0<=5.24.2/5.26.0<=5.24.2/5.26.0
filewin32/perlhost.hwin32/perlhost.hwin32/perlhost.h
functionCPerlHost::AddCPerlHost::AddCPerlHost::Add
input_typeEnvironment VariableEnvironment VariableEnvironment Variable
cwe119 (memory corruption)119 (memory corruption)119 (memory corruption)
risk222
cvss2_vuldb_basescore6.86.86.8
cvss2_vuldb_tempscore5.95.95.9
cvss2_vuldb_avNNN
cvss2_vuldb_acMMM
cvss2_vuldb_auNNN
cvss2_vuldb_ciPPP
cvss2_vuldb_iiPPP
cvss2_vuldb_aiPPP
cvss2_nvd_avNNN
cvss2_nvd_acLLL
cvss2_nvd_auNNN
cvss2_nvd_ciPPP
cvss2_nvd_iiPPP
cvss2_nvd_aiPPP
cvss3_meta_basescore8.58.58.5
cvss3_meta_tempscore8.28.28.2
cvss3_vuldb_basescore7.37.37.3
cvss3_vuldb_tempscore7.07.07.0
cvss3_vuldb_avNNN
cvss3_vuldb_acLLL
cvss3_vuldb_prNNN
cvss3_vuldb_uiNNN
cvss3_vuldb_sUUU
cvss3_vuldb_cLLL
cvss3_vuldb_iLLL
cvss3_vuldb_aLLL
cvss3_nvd_avNNN
cvss3_nvd_acLLL
cvss3_nvd_prNNN
cvss3_nvd_uiNNN
cvss3_nvd_sUUU
cvss3_nvd_cHHH
cvss3_nvd_iHHH
cvss3_nvd_aHHH
date1506556800 (09/28/2017)1506556800 (09/28/2017)1506556800 (09/28/2017)
locationGIT RepositoryGIT RepositoryGIT Repository
typeGIT CommitGIT CommitGIT Commit
urlhttps://perl5.git.perl.org/perl.git/log/refs/tags/v5.24.3-RC1https://perl5.git.perl.org/perl.git/log/refs/tags/v5.24.3-RC1https://perl5.git.perl.org/perl.git/log/refs/tags/v5.24.3-RC1
price_0day$0-$5k$0-$5k$0-$5k
namePatchPatchPatch
upgrade_version5.24.3-RC1/5.26.1-RC15.24.3-RC1/5.26.1-RC15.24.3-RC1/5.26.1-RC1
patch_urlhttps://perl5.git.perl.org/perl.git/log/refs/tags/v5.24.3-RC1https://perl5.git.perl.org/perl.git/log/refs/tags/v5.24.3-RC1https://perl5.git.perl.org/perl.git/log/refs/tags/v5.24.3-RC1
cveCVE-2017-12814CVE-2017-12814CVE-2017-12814
cve_assigned150240960015024096001502409600
cve_nvd_published150647040015064704001506470400
cve_nvd_summaryStack-based buffer overflow in the CPerlHost::Add method in win32/perlhost.h in Perl before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 on Windows allows attackers to execute arbitrary code via a long environment variable.Stack-based buffer overflow in the CPerlHost::Add method in win32/perlhost.h in Perl before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 on Windows allows attackers to execute arbitrary code via a long environment variable.Stack-based buffer overflow in the CPerlHost::Add method in win32/perlhost.h in Perl before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 on Windows allows attackers to execute arbitrary code via a long environment variable.
securityfocus101051101051101051
securityfocus_titlePerl CVE-2017-12814 Stack Based Buffer Overflow VulnerabilityPerl CVE-2017-12814 Stack Based Buffer Overflow VulnerabilityPerl CVE-2017-12814 Stack Based Buffer Overflow Vulnerability
nessus_id103442103442103442
nessus_nameFreeBSD : perl -- multiple vulnerabilities (d9e82328-a129-11e7-987e-4f174049b30a)FreeBSD : perl -- multiple vulnerabilities (d9e82328-a129-11e7-987e-4f174049b30a)FreeBSD : perl -- multiple vulnerabilities (d9e82328-a129-11e7-987e-4f174049b30a)
nessus_filenamefreebsd_pkg_d9e82328a12911e7987e4f174049b30a.naslfreebsd_pkg_d9e82328a12911e7987e4f174049b30a.naslfreebsd_pkg_d9e82328a12911e7987e4f174049b30a.nasl
nessus_riskHighHighHigh
nessus_familyFreeBSD Local Security ChecksFreeBSD Local Security ChecksFreeBSD Local Security Checks
nessus_typelocallocallocal
nessus_date1506297600 (09/25/2017)1506297600 (09/25/2017)1506297600 (09/25/2017)
cvss2_vuldb_eNDNDND
cvss2_vuldb_rlOFOFOF
cvss2_vuldb_rcCCC
cvss3_vuldb_eXXX
cvss3_vuldb_rlOOO
cvss3_vuldb_rcCCC
0day_days999
cvss3_nvd_basescore9.89.89.8
discoverydate15054336001505433600
confirm_urlhttps://perl5.git.perl.org/perl.git/log/refs/tags/v5.24.3-RC1https://perl5.git.perl.org/perl.git/log/refs/tags/v5.24.3-RC1
date1506211200 (09/24/2017)1506211200 (09/24/2017)
securityfocus_date1506556800 (09/28/2017)1506556800 (09/28/2017)
securityfocus_classBoundary Condition ErrorBoundary Condition Error
person_nameJohn Leitch
cvss2_nvd_basescore7.5

Do you know our Splunk app?

Download it now for free!